Using Local On-Prem Resolution

The Local On-Prem Resolution feature found in Infoblox Threat Defense security policies allows for DNS resolution via local Internet breakouts while still applying a security policy to the DNS query/response. The Local On-Prem Resolution feature works on NIOS-X servers and NIOS-X as a Service instances that have the DFP service from Infoblox Threat Defense as well as the DNS service from Universal DDI (DNS Forwarding Proxy). The Local On-Prem Resolution feature does not apply to NIOS hosts running DFP and it does not apply to Infoblox Endpoints.

When you enable Local On-Prem Resolution in a security policy, the NIOS-X server resolves the DNS query locally. The DNS request and response are then forwarded to Infoblox Cloud for security policy validation. This improves web application performance and ensures local geographic DNS resolution. The feature is particularly beneficial for organizations that need to:

Maintain accessibility to online resources during potential service outages.
Ensure data security while leveraging local resolution.

When integrating Infoblox Threat Defense Business Cloud or Infoblox Threat Defense Advanced with Universal DDI NIOS-X servers running the DNS service, the DFP service supports Local On-Prem Resolution via recursive DNS to validate security policy compliance in Infoblox Threat Defense. To protect against data exfiltration via DNS, an exfiltration filter list is automatically maintained on DFP.

Configuration

Local On-Prem Resolution is configured per security policy and is disabled by default.
For information on configuring security policies, see Configuring Security Policies.

Benefits of Using Local On-Prem Resolution

Infoblox Threat Defense DFP with Universal DDI DNS:

Better web application performance and localization through a local geographic DNS resolution.
Better protection against already identified DNS exfiltration domains.
Extended protection by Infoblox Platform.
100% resiliency and core security if platform services are not reachable.

Take the following into consideration when using local host resolution:

Slower resolution might occur when compared to platform-based DNS resolution. However, this affects only the initial request. Additional requests will resolve normally due to responses coming from the local cache.
Potential privacy concerns due to being profiled for using unencrypted communications with root and authoritative DNS servers.

Prerequisites for Using Local On-Prem Resolution

Local On-Prem DNS resolution requires Infoblox Threat Defense Advanced or Business Cloud and also requires Universal DDI NIOS-X server(s) running the DNS service.
DFP and Universal DDI DNS services should be running on the same host.

* If the Infoblox host must forward local queries to another server (i.e. it cannot resolve DNS queries directly via the root servers), then see the documentation page on BloxOne DDI Forwarders.

Local On-Prem Resolution Workflows

Depending on your network infrastructure, you may need to optimize your DNS traffic and allow for local DNS resolution or internet breakouts. In this scenario, you can enable Local On-Prem Resolution to improve the performance of your web applications while taking advantage of Infoblox Platform security policy validation.

On the other hand, if you are concerned about losing privacy and that your organization may be profiled due to unencrypted communications with root and authoritative DNS servers, or if you do not want to include a fail open configuration, you can disable Local On-Prem Resolution, which is the default configuration.

The following sections explain the workflows of the enabled and disabled Local On-Prem Resolution.

Local On-Prem Resolution Enabled

The following diagram illustrates how DNS queries and responses are handled when Local On-Prem Resolution is enabled.

A DNS (Domain Name System) query resolution process with local on-premises resolution enabled. It shows the steps taken when a user makes a request.

Diagram: A DNS query resolution process with local on-premises resolution enabled. It shows the steps taken when a user makes a request.

When Local On-Prem Resolution is enabled, all DNS requests will be resolved locally on the host. The DNS requests and responses will then be validated according to the configured policy in the Infoblox Platform.

When Local On-Prem Resolution is enabled, if a client wants to connect to “example.com”, the following occurs:

The client sends a request to the NISO-X server which sends the query to the DNS Forwarding Proxy (DFP) which is integrated with Universal DDI DNS service.
DFP’s internal policy engine will validate whether or not "example.com" is already a known domain that is used for DNS exfiltration, infiltration, or tunneling.
If the request is not blocked locally, then Universal DDI will resolve the domain by sending requests to the root DNS servers and the authoritative DNS servers to verify the TLD ( ".com") and the domain name ( "example.com").
The authoritative DNS responds back.
The request and the response will be checked against the Infoblox Platform for security policy validation via an API call on TCP-443 to ope.infobloxtd.com.
If the request is identified as malicious or if it should be blocked by a policy, then the response will be altered.
DFP will cache the results and respond back to the client.
The client will (or will not) connect to "example.com," depending on the outcome of the response.

Local On-Prem Resolution Disabled

In the default disabled mode, Local On-Prem Resolution, there are no changes to how the DNS service performs.

With Local On-Prem Resolution disabled, a client will connect to DNS services by default. The following diagram illustrates the workflow of a disabled Local On-Prem Resolution.

A DNS (Domain Name System) query resolution process when the local on-premises resolution is disabled.

Diagram: A DNS query resolution process when the local on-premises resolution is disabled.

Enabling and Disabling Local On-Prem Resolution for a New Security Policy

To enable Local On-Prem Resolution, you must toggle it on in the security policy (on the policy page). For information on configuring security policies, see Configuring Security Policies.

For information on adding Local On-Prem Resolution to a policy rule, see Adding Policy Rules and Setting Precedence.

To enable or disable Local On-Prem Resolution for a new security policy, complete the following:

From the Infoblox Portal, click Configure > Security > Policies. Then click Create located on the top action bar.
On the Create New Security Policy page, complete the following:
- Local On-Prem Resolution: To enable Local On-Prem Resolution for a security policy, toggle the switch from disabled to enabled. To disable Local On-Prem Resolution support for a security policy, toggle the switch from enabled to disabled.
After configuring the Local On-Prem Resolution settings for the new policy, continue with the security policy configuration process until complete.
Click Save & Close to save the newly configured security policy and to exit the configuration page.

For information on configuring security policies, see Configuring Security Policies.

Adding Policy Rules for Local On-Prem Resolution

You can add custom lists, feeds and Threat Insight, category and application filters to your policy rules. Depending on your business requirements, you can add as many feeds and Threat Insight, custom lists or category filters as you need and apply them to different security policies. Note that you must first define a custom list or a category filter before you can add it to the security policy. For information about how to create a custom list, see Creating Custom Lists. For information about how to add category or application filters, see Configuring Filters.

To add policy rules, apply actions, and set precedence, complete the following:

On the Policy Rules page of the Create New Security Policy wizard, click the Add Rule menu and choose one of the following policy types:

Custom List
Feeds and Threat Insight
Category Filter
Application Filter
Tag

Note: When you choose a policy type, the system adds it to the table.

You can perform the following for each rule:

Click Select List to view available rules for the respective policy type.
Click the Action menu to set the action for each policy rule. For more information about what each action means, see About Rule Actions.
Set the precedence order for a policy rule by clicking the up and down arrows at the end of each row to move the rule to its desired rank. The system applies policy rules based on the precedence order. Although you have the flexibility to set precedence for each rule, it is important that you understand the ramification of putting certain policy rules before others. For more information, see Security Policy Precedence.
Choose a policy rule and click Remove to remove it from the list.
Custom List: Choose this to add a custom list to the policy. When you click a custom list, you can view the Threat Level and Threat Confidence. When you are ready, click Select to add the custom list to the policy. Custom lists can be either allow lists or block lists, depending on the actions that you set upon them. For more information about custom lists, see Custom Lists.
Feeds and Threat Insight: Choose this to add a feed or Threat Insight to the policy. When you click a feed or Threat Insight, you can view the Threat Level and Threat Confidence. When you are ready, click Select to add the feed or Threat Insight to the policy. For more information, see Viewing Active Threat Feeds and Threat Insight.
Category Filter: Choose this to add a category filter to the policy. Choose a category filter and click Select to add the category filter to the policy. Category filters are content categorization rules that allow you to detect and filter internet content and traffic that you want to allow or block. Choose the name of the category from among the Select List options under the NAME menu to add to your security policy. Choose an action type from among the action options under the ACTION menu to add to your security policy. For more information, see Configuring Filters.
Application Filter: Choose this to add an application filter to the policy. Choose an application filter and click Select to add the application filter to the policy. Application filters are application categorization rules that allow you to detect and filter internet content and traffic that you want to allow or block. Choose the name of the application from among the Select List options under the NAME menu to add to your security policy. Choose an action type from among the action options under the ACTION menu to add to your security policy. You can also add a custom application filter by clicking on the New Filter option from among the Choose Application Filter drop-down menu options. To create your custom application filter, you must provide a name for the custom application list. A description for the custom list is optional. Under APPLICATIONS, select from among the available options in the AVAILABLE list of applications to add an application to your custom application filter.

You can add multiple rule types to a security policy. To do so, click on the Rule menu and add another rule type until you have finished adding rules to your security policy. For additional information on adding rules to a security policy, see Adding Policy Rules and Adding Precedence.

For additional information on configuring filters, see Configuring Filters.

To use Local On-Prem Resolution, on the Policy Rules page of the Create New Security Policy wizard under the ACTION menu, select Allow - Local Resolution as the default action when configuring Local On-Prem Resolution.
After you add policy rules, set actions, and precedence, click Finish to complete policy set-up, or click Next to add bypass codes. For more information, see Adding Bypass Codes to a Security Policy.
Once you have added your bypass codes, click Next to view the summary.

After reviewing the security policy summary, click Save & Close to save the security policy configuration.

Local On-Prem Resolution Policy Decision-making

For a DNS query received from the client, a policy check is performed to check if Local On-Prem Resolution is enabled. Decision actions based on the breakout configuration will be used by Universal DDI to perform the corresponding actions as follows:

ALLOW: Returns the response from the local resolution to the client.
BLOCK: Returns NXDOMAIN to the client.
CUSTOM (i.e REDIRECT): Returns the rewrite value to the client and in the case of the rewrite value being the CNAME, BIND resolves the CNAME target. Note that the resolution result of the CNAME target will not be sent for re-validation.
LOCAL with TD: Locally resolves the query while contacting the Onprem Policy Cache (OPC) for a policy check on the response.
FULL TD: Forwards the query to Infoblox Threat Defense for both resolution and policy check on the platform.

Local On-Prem Resolution per Application

To use local on-prem DNS resolution per application, a Infoblox Threat Defense subscription is required. Also, a third-party fallback DNS server should be configured with DNS Forwarding Proxy (DFP). Select Allow - Local Resolution as the default action type from the available options under the ACTION menu on the Policy Rules page of the Security Policy wizard when adding an application filter to the security policy. The Allow - Local Resolution action type only functions when configuring application filters.

Local on-prem resolution per application works similarly to local on-prem resolution for domains, with the difference that it works specifically with web-based applications and is designed for when Local On-Prem Resolution is not set at a security policy level (i.e. all traffic will be resovled by Infoblox Threat Defense Cloud other than the applications in the Application Filter set with action Allow-Local Resolution).

Using Local On-Prem Resolution, when a request for the application is received, When a request is received for one of the applications, DFP will use configured third-party fallback DNS servers to resolve the request. It is important that the DNS server is located nearby. Please be sure that such a DNS server is nearby. Infoblox Endpoint will forward the request to the network-provided DNS servers.

When Allow-Local Resolution has been selected as the default action type for an application filter, then the on-prem policy engine will decide what policies require checking locally and do not need to be checked in the platform and what domains need to be bypassed.

Requests other than for one of the applications as configured in the security policy, the request will be forwarded to Infoblox Platform as usual.

Warning: The applications configured in the security policy must be trusted as other security validations are bypassed. This is not the case if you are using a secure third-party DNS service such as NIOS configured with a DNS Firewall feed.

Creating and Adding Application Filters to a Security Policy Configured with Local On-Prem Resolution

Application filters are a set of rules that Infoblox Threat Defense uses to detect and filter specific Internet content. The Application Classification Service (ACS) provides accessibility to applications based on their category or subcategory. Using application filters, you can set security policies based on whether you want to allow an app to access the Internet at all times, or if you want the app to use local resolution when used with Universal DDI appliances.

Only for Application Filter if set to Allow-Local resolution when, the OPE will decide that policies needs to be check locally and doesn’t need to be checked in platform and this domain needs to be bypassed.

To create an application filter, complete the following:

From the Infoblox Portal, click Configure > Security > Policies.
On the Security Policies page, click the Filters tab located above the top Action bar.
On the Filters page, click Create Filter on the top Action bar.
From among the options displayed (Create Category Filter or Create App Filter), click Create App Filter.
On the Create Application Filter page, complete the following:
- Name: Enter a name for the content application filter. Ensure that you use a unique name for each filter. This is a required field.
- Description: Enter a brief description of the filter. You can enter up to 256 characters.
From the applications list, APPLICATIONS, expand the AVAILABLE list by clicking on the respective arrow next to the application type. Application types include:
- Productivity: Microsoft Sharepoint, Microsoft 365.
- Personal Storage: Microsoft OneDrive.
- Email: Microsoft Exchange.
- Video Conferencing: Skype for Business, Microsoft Teams.
From the AVAILABLE list select the checkboxes of the specific sub-applications you want to include in the rule, and then use the arrows to move the selected subcategories from the AVAILABLE list to the SELECTED list. You can include as many applications and sub-applications as you want based on your needs.
To remove a sub-application from the SELECTED list, click the X located to the right of the sub-application's name.
Click Save & Close to save or Cancel to cancel the configuration. Infoblox Threat Defense adds the application filter to the list. You can now add the application filter to a security policy or to multiple policies. For more information, see Configuring Security Policies.

To add an application filter to a security policy configured for Local On-Prem Resolution, see Adding Policy Rules and Setting Precedence to a security policy. .

For information on configuring a security policy for use with Local On-Prem Resolution, see Configuring Security Policies.

For information on configuring application filters for use with Local On-Prem Resolution, see Using Filters.

BloxOne Threat Defense